CVE-2021-37704 Information

Description

PhpFastCache is a high-performance backend cache system (packagist package phpfastcache/phpfastcache). In versions before 6.1.5 7.1.2 and 8.0.7 the phpinfo() can be exposed if the /vendor is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule (.htaccess etc). Only the v6 v7 and v8 will be patched respectively in 8.0.7 7.1.2 6.1.5. Older versions such as v5 v4 are not longer supported and will NOT be patched. As a workaround protect the /vendor directory from public access.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-cvh5-p6r6-g2qc https://packagist.org/packages/phpfastcache/phpfastcache https://github.com/PHPSocialNetwork/phpfastcache/blob/master/CHANGELOG.md#807 https://github.com/flextype/flextype/issues/567 https://github.com/PHPSocialNetwork/phpfastcache/commit/41a77d0d8f126dbd6fbedcd9e6a82e86cdaafa51 https://github.com/PHPSocialNetwork/phpfastcache/pull/813 https://github.com/PHPSocialNetwork/phpfastcache/pull/814 https://github.com/PHPSocialNetwork/phpfastcache/pull/815

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

4.3